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ABSTRACT 

Cyberspace  is  now  recognized  as  the  fifth  operational  domain,  and  future  military  operations  will  both 
rely  on,  and — at  least  in  part — ^be  fought  within,  it.  In  addition,  the  dependency  on  cyberspace  of  the 
entire  national  critical  infrastructure  will  continue  to  increase. 

This  paper  proposes  an  analytic  model  for  multi-domain  cyber  operations,  which,  coupled  with  a 
comprehensive  cyber  operation  capability  frame  of  reference,  can  serve  as  the  basis  for  a  solution 
architecture  to  provide  the  required  automated  decision  support  (ADS)  capability.  The  benefits  of  such  an 
ADS  capability  are  highlighted  in  the  context  of  selected  scenarios  for  multi-domain  operations,  and  an 
implementation  plan  is  proposed  and  discussed. 

New  Dangers  for  a  New  Era 

The  coming  era  will  be  characterized  by  increasing  competition  for  scarce  global  resources  such  as  water, 
food,  minerals,  oil,  and  labor.  Some  academics  predict  global  instability  and  conflict  in  the  next  ten 
years. Today,  the  richest  people  and  the  largest  companies  in  the  world  are  no  longer  American.  In 
2013,  the  Chinese  bank  ICBC  unseated  Exxon  Mobil  as  the  world’s  biggest  company  and  takes  the 
number  one  spot  for  the  first  time.  Another  Chinese  bank,  China  Construction  Bank,  moved  up  1 1  spots 
to  No.  2  on  the  list.  Mexican  Carlos  Slim  is  once  again  the  world’s  richest  person,  followed  by  Bill  Gates. 
Amancio  Ortega  of  Spanish  retailer  Zara  moved  up  to  No.  3  for  the  first  time.^^^  The  United  States  can  no 
longer  assume  an  undisputed  leadership  role  in  the  global  economy  and  politics,  and  thus  can  no  longer 
set  the  economic  trend  or  expect  other  leading  economies  to  cooperate. 

The  2010  Quadrennial  Defense  Review  (QDR)  noted  that  climate  change  is  an  “accelerant  of  instability 
or  conflict,”  which  will  play  a  “significant  role  in  shaping  the  future  security  environment”;  will  cause  a 
“...need  to  adjust  to  the  impacts  of  climate  change  on  our  facilities  and  military  capabilities”;  and  will 
result  in  “...placing  a  burden  to  respond  on  civilian  institutions  and  militaries  around  the  world.”  The 
2012  DoD  national  security  report  to  Congress  noted  that  “Chinese  actors  are  the  world’s  most  active  and 
persistent  perpetrators  of  economic  espionage....  Chinese  attempts  to  collect  U.S.  technological  and 
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economic  information  will  continue  at  a  high  level  and  will  represent  a  growing  and  persistent  threat  to 
U.S.  economic  security.”^^^  It  is  imperative  for  the  United  States  to  articulate  strategies  and  identify  the 
resources,  tools,  and  techniques  needed  to  confront  the  challenges  of  this  new  era. 

Regardless  of  the  strategy  adopted  by  the  Cyber  community,  there  will  be  decisions  that  require  access  to 
information  that  is  generally  in  non-federated  repositories.  The  resources  necessary  to  support  cyber 
operations  are  extremely  heterogeneous  and  require  prepositioning  of  access  mechanisms  to  non- 
federated  repositories  before  events  and  operations,  and  every  interaction  required  for  cyber  operation 
also  requires  pre-validated  tools  and  techniques.  For  cyber-operational  solutions  to  have  the  necessary 
level  of  robustness  they  must  address  these  issues. 

Cyberspace  -  A  New  Operational  Domain 

The  U.S.  Department  of  Defense  (DoD)  recognizes  cyberspace  as  the  fifth  operational  domain.  In  2011, 
the  Department  published  DoD  Strategy  for  Operating  in  Cyberspace^^^  noting  that  DoD  must  (1)  Protect 
DoD  networks  and  systems  and  (2)  Partner  with  others  to  confront  cyber  threats  nationally  and 
internationally.  Likewise,  the  2012  Capstone  Concept  for  Joint  Operations  (CCJO/^^  advocates  globally 
integrated  operations — ^which  have  networking  and  information  technology  (IT)  at  their  core — as  the 
principle  upon  which  future  Joint  Forces  operations  should  be  based.  Furthermore,  the  Joint  Operational 
Access  Concept  (JOACf^^  advocates  the  development  of  cross-domain  synergy,  i.e.,  ‘‘the  complementary 
employment  of  capabilities  in  different  domains  such  that  each  enhances  the  effectiveness  and 
compensates  for  the  vulnerabilities  of  the  others.”  The  cyber  domain  will  be  a  key  venue  for  applying 
these  strategic  concepts. 

In  addition  to  the  importance  of  cyberspace  to  military  operations,  much  of  U.S.  critical  infrastructure  is 
dependent  on  a  safe  and  reliable  cyberspace.  Presidential  Policy  Directive  (PPD)  21  identifies  16  critical 
infrastructure  sectors,  including  Chemical,  Commercial  Facilities,  Communications,  Critical 
Manufacturing,  Dams,  Defense  Industrial  Base,  Emergency  Services,  Energy,  Financial  Services,  Food 
and  Agriculture,  Government  Facilities,  Healthcare  and  Public  Health,  IT,  Nuclear  Reactors/Materials/ 
Waste,  Transportation  Systems,  and  Water/ Waste  water  Systems.  The  nation’s  economic  health  is 
dependent  on  protecting  cyberspace,  which  enables  commercial  activities  and  financial  transactions.  The 
complex  interplay  of  international  economic,  kinetic,  and  cyber  competition  is  illustrated  in  Figure  1 
below. 
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Figure  1.  Interplay  of  Economic,  Kinetic,  and  Cyber  Competition  Factors 

This  multi-domain  competition  can  be  at  a  strategie  level,  involving  major  players  sueh  as  China  and 
Russia.  At  an  operational  level  it  may  involve  seeond-tier  players  sueh  as  Iran,  Venezuela,  Syria,  and 
North  Korea.  At  a  taetieal  level,  it  may  involve  foeused  operations  sueh  as  the  Supervisory  Control  and 
Data  Aequisition  (SCADA)  attaek  on  Iran’s  nuelear  faeilities.  In  the  eoming  era  of  persistent  eonfliet,  the 
United  States  will  inereasingly  find  itself  involved  in  multi-domain  eonfliets  and  should  prepare 
aeeordingly. 

Economic  and  Societal  Conflict 

Perhaps  the  domain  most  diffieult  to  understand  is  that  of  eeonomie  and  soeietal  eonfliet.  The  eoming  era 
will  be  eharaeterized  by  inereasing  eompetition  for  searee  global  resourees  sueh  as  water,  food,  minerals, 
oil,  and  labor.  Intelligenee  will  play  a  key  role  in  understanding  adversaries’  behavior. 

Understanding  the  sentiment  underlying  the  deeisions  of  a  nation  will  be  important  in  dealing  with 
eonfliet  situations  that  may  arise.  Sueh  sentiment  ean  depress  markets  and  foment  revolutions. Failing 
to  foresee  the  politieal  disintegration  of  eountries  sueh  as  Libya  and  Egypt  following  the  Arab  Spring  is  a 
widely  noted  U.S.  intelligenee  failure.  Could  analysis  of  publiely  available  data  (twitter,  news  feeds, 
blogs,  and  government  eeonomie  projeetions)  have  identified  hot  spots  sueh  as  those  in  Egypt  where 
organizers  used  Twitter  and  soeial  media  to  rally  protestors? 

An  example  of  how  an  adversary  ean  affeet  important  infrastrueture  is  the  AP  News  Twitter  haek  on  the 
White  House  that  eaused  a  brief  market  erash.^^^  In  eeonomie  seenarios,  another  example  is  that  although 
the  oil  markets  predieted  the  Arab  embargo  in  1973,  the  intelligenee  eommunity  (IC)  did  not.  A  further 
example  of  eeonomie  intelligenee  is  information  provided  by  predietion  markets  that  use  erowd  soureing. 

Maehine  learning  (ML)  teehnology  ean  help  mine  soeial  media,  news  sourees,  and  other  intelligenee  for 
the  purpose  of  sentiment  analysis  and  predietion  of  possible  future  seenarios.  One  ean  use  maehine 
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learning  to  design  a  predietion  agent.  Wall  Street  uses  ML  teehnology  for  trading  based  on  predietions 
based  on  observed  sentiment.  In  DoD,  the  offiee  of  Naval  Researeh’s  (ONR)  Soeial,  Cultural,  and 
Behavioral  Seienees  program  aims  to  develop  soeio-eulturally  informed  human  behavior  models  to 
enhanee  training  in,  planning  for,  and  analysis  of  irregular  warfare  and  Stability,  Seeurity,  Transition,  and 
Reeonstruetion  (SSTR)  operations. 

There  is  a  rieh  global  sensor  network  for  Intelligenee,  Surveillanee,  and  Reeonnaissanee  (ISR)  eontaining 
information  on  agrieulture,  materials,  energy  data,  transportation  routes,  weather  disruptions,  eredit 
ratings,  eurreney  exehange,  interest  rates,  and  stoek  markets.  Systems  are  being  researehed  to  mine  this 
information.^^^^^^^^^^^  Beeause  eeonomie  and  soeial  seienee  intelligenee  ean  often  be  obtained  from  open 
souree  and  other  digital  sourees,  it  is  important  to  eonsider  using  these  sourees  for  eyberspaee  operations 
to  aid  predietion  of  eeonomie  and  soeial  stress. 


Cyber  Operations 

The  DoD  has  extensive  operations  in  eyberspaee.  A  frame  of  referenee  for  eyberoperations  is  illustrated 
in  Figure  2  below: 
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Situational  Understanding  via  Knowledge  Integration 


Figure  2.  A  Cyberoperotions  Frame  of  Reference 

The  goal  of  eyberoperations  is  situational  understanding  via  knowledge  integration.  To  do  this  requires 
knowledge  of  objeets,  whieh  ean  be  represented  in  eyberspaee  in  a  variety  of  ways.  Objeets  ean  be 
people,  perhaps  those  eomposing  organizations,  represented  by  attributes  (faees,  aetivities,  roles)  sueh  as 
terrorist  leader  or  group.  Objeets  may  also  be  weapons,  vehieles,  and  information  whieh  may  need 
traeking.  Key  needs  are  tagging,  traeking,  and  loeating  (TTL)  these  objeets.  A  cyber  tag  may  be 
embedded  in  eyber  transaetions  that  may  allow  the  identifieation  of  the  owner,  ereator,  or  modifier  of  the 
transaetion.  A  cyber  track  makes  possible  the  pursuit  of  a  transaetion  by  following  signatures  left  behind 
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as  files  move  or  are  at  rest  throughout  eyberspaee.  One  goal  is  to  cyber  locate  tagged  objeets  so  they  are 
resolved  to  a  region  in  spaee  and  time. 

DoD  does  not  generally  own  the  networks  eapable  of  TTL  and  must  attempt  to  operate  under  eommereial, 
neutral,  or  hostile  eonditions.  Cyberspaee  has  many  parts:  the  publie  internet,  eommereial  and  finaneial 
enterprise,  foreign  military,  foreign  government,  allied  and  U.S.  military,  foreign  and  domestie  SC  AD  A 
networks,  ete.^^^^  The  Department  of  Homeland  Seeurity  (DHS)  has  beeome  inereasingly  eoneerned  about 
the  laek  of  seeurity  of  sueh  eontrol  networks  beeause  sueh  eontrol  systems  are  owned  by  private 
eompanies  and  are  inereasingly  being  intereonneeted  to  improve  effieieney. 

Information  within  Command,  Control,  Communieations,  Computers,  Intelligenee,  Surveillanee,  and 
Reeonnaissanee  (C4ISR)  networks  and  eyberoperations  ean  be  affeeted  by  intrusion,  denial  of  serviee,  or 
disabling  of  network  or  serviees.  This  may  eompromise  other  information,  weapons  and  eommand 
eenters,  and  other  infrastrueture.  A  goal  of  eyberoperations  may  also  be  pereeption  management  of  the 
targeted  eountries  population. 

Situational  Understanding  for  Decision  Support 

There  are  signifieant  ehallenges  in  understanding  a  situation.  First,  there  is  a  large  amount  of  data  relevant 
to  a  situation  and  it  ehanges  eonstantly.  The  topology  of  nodes,  links,  nodal  equipment,  arehiteeture, 
protoeols,  and  networks  is  always  in  flux.  Also,  network  traffie  is  ehanging,  together  with  software 
applieations  for  the  user  and  for  the  managers  of  the  networks.  Constantly  evolving  threats  foree  the 
evolution  of  mitigation  strategies  to  eonfront  them.  Network  and  eomponent  sensors  are  either  integrated 
or  temporarily  deployed.  Some  types  of  information  ehange  rapidly  (traffie  loads,  node  and  link  faults, 
attaeks  -  physieal  or  eyber),  whereas  others  ehange  more  slowly  (eonfiguration  of  elements,  maintenanee 
status,  modeling  of  proposed  ehanges). 

Another  ehallenge  is  that  information  needed  is  diffieult  to  eapture  and  of  variable  quality.  Databases  of 
the  network  elements,  eomputers,  and  arehiteetures  are  often  ineomplete,  and  the  information  is  kept  in 
disparate  databases  and  eomes  from  different  sourees  assembled  by  a  variety  of  eolleetion  strategies  with 
ineompatible  data  eolleetion  tools. 

Furthermore,  the  knowledge  to  be  gleaned  is  diffieult  to  understand.  There  is  a  heterogeneous 
infrastrueture  of  many  networks,  many  operators,  and  many  users.  There  are  different  dependeneies  and 
relationships  among  equipment,  applieations,  and  protoeols.  There  are  also  many  eomplex  information 
assuranee  strategies  for  areas  sueh  as  aeeess  eontrol  and  for  eomputer  network  defense. 

An  overriding  issue  is  how  to  merge,  and  effieiently  manipulate  information  from  disparate  sourees,  and 
then  provide  adequate  analytieal  eapabilities  without  getting  bogged  down  in  the  ‘‘sehema-to-sehema 
mapping”  swamp.  A  possible  arehiteeture  for  aeeomplishing  this  is  depieted  in  Figure  3  below. 
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Figure  3.  Proposed  Solution  Architecture  to  Address  Information  Heterogeneity 

and  Disparity  in  Cyberspace 

Note  that  the  eolleeted  data  sourees  inelude  non-traditional  items,  sueh  as  news  and  soeial  networks,  as 
well  as  traditional  DoD  surveillanee  sourees.  To  extraet  knowledge  requires  advaneed  artifieial 
intelligenee  software,  ineluding  natural  language  proeessing,  maehine  learning,  and  rule-based  inferenee 
software  that  makes  use  of  an  extensive  knowledgebase. 

Scenarios  for  Multi-Domain  Operations 

A  variety  of  seenarios  for  using  this  system  for  eyber  ineident  analysis  and  deeision  support  ean  be 
envisioned.  They  inelude  a  SCADA  attaek  with  physieal  destruetion,  information-destroying  eyber-attaek 
on  finaneial  institutions,  analysis  of  known  preparations  for  attaek  in  kinetie  or  eyber  domains,  a  seeurity 
eompromise  in  the  DoD  supply-ehain  with  eyber-bombs  in  eritieal  systems,  and  eyber-espionage  of 
Defense  Industrial  Base  (DIB)  strategie  eompanies. 

Another  group  of  seenarios  for  eeonomie  and  market  signals  inelude  the  IC  issuing  a  National 
Intelligenee  Estimate  (NIE)  signaling  a  erisis  ahead,  the  oil  market  signaling  an  oil  embargo  as  in  1973, 
and  finaneial  intelligenee  (FININT)  alerting  the  system  to  suspieious  trades  by  persons  or  organizations  of 
interest. 

Additionally,  the  system  may  be  used  for  exeeution  of  a  planned  response  to  eyber-attaek  by  a  major 
power  sueh  as  China  or  by  a  small  haeker  group  that  exeeutes  a  distributed  denial  of  serviee  (DDoS) 
attaek  on  banks. 

Conclusion 

The  DoD  has  long  believed  in  the  value  of  C4ISR,  but  it  has  not  foeused  on  eolleeting,  proeessing,  and 
understanding  these  new  types  of  intelligenee.  To  a  degree,  the  IC  has  filled  the  void,  but  with  a  heavy 
relianee  on  labor-intensive  analytieal  support.  The  time  has  eome  to  automate  and  upgrade  general 
intelligenee  gathering  eapabilities  to  refleet  the  new  global  realities  and  the  eapabilities  made  possible  by 
new  teehnologies  and  information  sourees. 
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